- For each of the bit-lengths one curve shall be proposed.
- The base field size should be congruent to .
- The curve should be -isomorphic to a curve with .
- The prime must not be of a special form in order to avoid patented fast arithmetic on the base field.
- The order of the curve should be smaller than the size of the base field .
- The curve coefficient should be non-square in .
- The embedding degree should be large, where is the order of the basepoint and the size of the base field. Specifically, .
- The curves are not trace one curves. Specifically .
- The class number of the maximal order of the endomorphism ring of the curve is larger than .
- The group order should be a prime number .
Original methodBrainpool published their method of generating verifiably random curves in the ECC Brainpool Standard Curves and Curve Generation  document, along with generated domain parameters claimed to be generated using the presented method and seeds. However, the presented curves were (with the exception of the 512-bit curves) not generated using the presented method, as they have properties that can not result from the presented method of generating curves. See the BADA55 paper  for more information.
RFC 5639 methodBrainpool published an RFC with their fixed method of generating verifiably random curves and generated curves in RFC 5639 , which matches the generated curves and seeds.
- Manfred Lochter: ECC Brainpool Standard Curves and Curve Generation v. 1.0, [archive]
- Manfred Lochter, Johannes Merkle: Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation (RFC5639)
- BADA55 Research Team: BADA55 Crypto - Brainpool curves